[JBoss Seam] - Re: Can't integrate Web JAAS authentication with Seam Identi
by gilsontavares
Hi guys,
thanks Jacob for your notes.
I thought 'bout this solution too, but the real problem is the UserPrincipal reference, not the roles. There is a method in the identity object to add roles but no way to set a pre-existing Subject or Principal. That's the problem.
The use of java security APIs in web apps is tricky. You are not supposed to have a login form where the user can authenticate himself beforehand. You can only configure a form to be presented when he tries to access a protected / secured resource of your app, and only through this form the container is aware that the authentication occurred and appends this information in every request from this point on. You can access this information using request.getUserPrincipal() (not Seam approach) or org.jboss.seam.core.UserPrincipal. Our solution is to create a form the user can fill and the action of this form redirects the request to a protected page "/private/abcd.seam" that only change the browser's location object to "/public/abcd.seam". In my web.xml I have:
| ...
|
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>My Private Pages</web-resource-name>
| <url-pattern>/private/*</url-pattern>
| </web-resource-collection>
| <auth-constraint>
| <role-name>*</role-name>
| </auth-constraint>
| </security-constraint>
|
| ...
|
| <login-config>
| <auth-method>FORM</auth-method>
| <realm-name>myRealmName</realm-name>
| <form-login-config>
| <form-login-page>/jaasLogin.seam</form-login-page>
| <form-error-page>/jaasLoginError.seam</form-error-page>
| </form-login-config>
| </login-config>
|
| ...
So, when I redirect the request to "/private/abcd.seam", the container automatically sends "/private/jaasLogin.seam" to the user. This page content does an immediate form submission using the information the user supplied im my official login form:
| <body onload="document.forms[0].submit();">
| <form method="post" action="j_security_check">
| <input type="hidden" name="j_username" id="j_username" value="#{user.username}" />
| <input type="hidden" name="j_password" id="j_password" value="#{user.password}" />
| </form>
| </body>
|
This way, my LoginModule is invoked and the authentication happens as it is supposed to and when the private page is finally reached it redirects the user to the real "after Login page" of my initial web app. From this moment on, the user has access granted to all my "/private/*" pages. As I configured my JBoss to use SSO, all my apps will receive the userPrincipal of this first app, that mainly configures the public and private options of all other apps. So all my apps see the user as already authenticated, granting access to their "/private/*" pages too. In these pages I want to use #{s:hasRole} and #{s:hasPermission} and @Restrict to further define user's permissions.
My problem is that as I can't push this userPrincipal into the identity object, a pre-condition to use Seam permission checking, I am being forced to authenticate the user again, configuring the identity in the components.xml file to use the same realm declared im my web.xml:
| <security:identity jaas-config-name="myRealmName" />
I end up with 2 Principal objects I must keep in sync. I think that would be great if Seam was able to "detect" that there is an already authenticated user information available (when using JAAS, of course) and use it or, at least, allow the developer to do that.
I asked for an opinion from the development team but until now no one answered. Maybe my approach is completely wrong and I should be doing something completely different. Maybe it is a completely absurd idea change the way Seam's security framework was designed. But as far as I can see with my limited view of the JAAS support in Seam, it seems SSO was not considered.
Sorry if this message is too long. Sorry if I insist, but I really would like to hear from the development team about this. :)
Thanks.
Gilson
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4088356#4088356
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4088356
18 years, 7 months
[JBoss Seam] - Objects created from link with page params
by damianharvey
I've just noticed that if I go to a page, Seam will look at all of the page.xml's for each link on the page and instantiate any objects referenced by page params. Is this expected?
For example if I have a page with 3 links eg: index.xhtml
| <s:link view="/page1.xhtml">Page 1</s:link>
| <s:link view="/page2.xhtml">Page 2</s:link>
| <s:link view="/page3.xhtml">Page 3</s:link>
And each page has a page.xml with a page parameter eg:page1.page.xml
| <param name="id" value="#{pageOneHome.Id}"/>
Then if I visit index.xhtml and look at /debug.seam I will see that pageOneHome, pageTwoHome and pageThreeHome will all be present. I would have thought that Seam would only need to create these objects when the links were actually clicked.
In my real case it means that every menu item that I have has it's backing bean created and any Beans that are injected into the Backing Bean with create=true.
This isn't a big deal, but does make it messy trying to determine when I actually do want an object created (I'm having some dramas with resetting some objects).
Cheers,
Damian.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4088355#4088355
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4088355
18 years, 7 months